Skip to main content
Version: 8.2411.x.x RR

Built-in job types

The following chapters describe the jobs that are included in the nevisIDM distribution.

dataPorter export job

nevisDataPorter is a flexible and extensible data migration framework by Nevis Security. In short, it can be used to extract entities (such as users) from a data source, perform transformations on the entity, and then store the entity in a data sink. See the nevisDataPorter reference guide [6] for details.

Class

ch.nevis.idm.batch.jobs.DataPorterExportJob

Configuration

FieldRequired?FormatDescription
dataporter.configtrueStringPath to a dataporter XML configuration.
dataporter.simulatefalsebooleanSpecifies if dataporter should be run in simulation mode. Default value false.
dataporter.libDirtrueStringDefines where the dataporter JAVA libraries are located. Usually installed by the separate component nevisDP at /opt/nevisdp/lib.

Any additional config parameters defined for the job are passed as-is to the dataPorter, and can be referenced in the XML configuration (e.g., ${cfg.paramName}).

Logging

  • ch.nevis.idm.batch.jobs.DataPorterExportJobdataporter.configdataporter.timingdataporter.simulatedataporter.statistic

Example(s)

See chapter 5.4.3.4 "Example of a batch job configuration file".

Inactive user disabling job

Deprecated

This job is deprecated. Its functionality is available in the job UpdateUserStateJob. Configure UpdateUserStateJob with the following parameters to have the old behavior from DisableInactiveUserJob:

  • daysNoActivity=<parameter "daysInactive" from DisableInactiveUserJob>
  • considerUsersNeverLoggedIn=false
  • sendWarning=false
  • daysGracePeriod=0
  • daysStatusArchived=1
  • disableOutdatedUsers=false
  • disableNotYetActiveUsers=false
  • This job allows for periodically disabling users that have not logged in a configurable number of days.

Class

ch.nevis.idm.batch.jobs.DisableInactiveUsersJob

Configuration

FieldRequired?FormatDescription
daysInactivetruenumberNumber of days of inactivity after which a user will be disabled.

Logging

  • ch.nevis.idm.batch.jobs.DisableInactiveUsersJob

Example(s)

<bean id="disableInactiveUsersJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Disables users that have not logged in for a while"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.DisableInactiveUsersJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysInactive" value="365"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>

Recreate certificate information job

Many certificate parameters like validity dates or the fingerprint are extracted from the certificate by nevisIDM upon its upload and registration. These parameters are then stored separately in the database for performance reasons in search operations. If, for any reason, the extracted parameters become invalid or deleted, this batch job allows to completely re-extract these parameters from the certificates.

Depending on the amount of stored certificates and the configuration parameter, this job may take very long and may lock out users with certificates.

On one side, to avoid massive performance overhead by using one service call for every single certificate, the certificates are handled in groups (chunks). On the other side, if the group size is too big, the amount of concurrently locked database objects may get too large and lock out more users than required (namely all certificate users in this chunk). To find an optimal way between a vast amount of service calls and the size of concurrently locked objects on the database, chunk size may need to be adjusted. So far, a value of 100 has shown to be good for most scenarios.

Class

ch.nevis.idm.batch.jobs.RecreateCertificateInfosJob

Configuration

FieldRequired?FormatDescription
certinfo.chunksizetruenumberSize of groups in which certificates are locked and updated.

Logging

  • ch.nevis.idm.batch.jobs.RecreateCertificateInfosJob

Example(s)

<bean id="recreateCertificateInfosJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Recreate all certinfo from certificates"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.RecreateCertificateInfosJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="certinfo.chunksize" value="100"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>

Recreate localized hierarchical name job

For performance reasons, language dependent hierarchical names are precomputed in nevisIDM upon creation or modification. Some circumstances, for example some imports and exports or direct changes to the database, may invalidate these precomputed values. This job recreates all hierarchical name elements by recursively reassembling them.

Depending on the amount of hierarchical levels, this job may take very long.

Class

ch.nevis.idm.batch.jobs.RecreateLocalizedHnamesJob

Logging

  • ch.nevis.idm.batch.jobs.RecreateLocalizedHnamesJob

Example(s)

<bean id="recreateLocalizedHnamesJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Recreate all hierarchical names"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.RecreateLocalizedHnamesJob"/>
<property name="durability" value="true"/>
</bean>

Remove all failed printing jobs from the persistent queue

This is a clean-up job which removes all failed printing jobs currenlty stored in the persistent queue. Possible reasons why a printing job has failed are:

  • missing template in the template store
  • no value found for a mandatory placeholder

The failed printing jobs are kept in the queue to allow a manual retriggering for them. As soon as an administrator as handled the failed jobs, they can be removed by means of this batch job.

Class

ch.nevis.idm.batch.jobs.DeleteAllFailedPrintingEventsJob

Configuration

FieldRequired?FormatDescription
daystruenumberDefines that all printing events older than the defined number of days are deleted.

Logging

  • ch.nevis.idm.batch.jobs.DeleteAllFailedPrintingEventsJob

Example(s)

<bean id="deleteFailedPrintingEventsJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Delete failed printing events from event queue"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.DeleteAllFailedPrintingEventsJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="days" value="90"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>

Prune history data job

On every add/update/delete action in the nevisIDM database, nevisIDM writes history entries so that the modifications can be tracked. It is a complete audit of modifications done by users or by nevisIDM (upon authentication processes, batch job executions, etc). With this batch job, very old history data can automatically be pruned to save space on the DB as well as speed up nevisIDM features that are based on the history data. The batch job deletes old records from history/versioning tables, leaving a single event. If the original entity is not there anymore, the job removes all history records.

Class

ch.nevis.idm.batch.jobs.PruneHistoryJob

Configuration

FieldRequired?FormatDescription
daystruenumberDefines that all data older than the defined number of days is deleted.
skipListfalseStringComma-separated list of versioned tables to be ignored by the prune history job.

Logging

  • ch.nevis.idm.batch.jobs.PruneHistoryJob

Example(s)

<bean id="pruneHistoryJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean>
<property name="description" value="History cleanup job"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.PruneHistoryJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="days" value="365"/>
<!-- deletes the entries in all tables except TIDMA_CRED_LOGIN_INFO_V
and TIDMA_USER_LOGIN_INFO_V -->
<entry key="skipList" value="TIDMA_CRED_LOGIN_INFO_V,TIDMA_USER_LOGIN_INFO_V" />
</map>
</constructor-arg>
</bean>
</property>
</bean>

UpdateUserStateJob

This batch job is used to degrade the user's status due to inactivity. The degradation is gradually (from disabled to archived, from archived to deleted) and intervals between degradation can be configured. Furthermore, the job can send a warning per e-mail to the user before the user is disabled. To use this feature, make sure that e-mail templates of the event "DeactivationWarning" have been defined in nevisIDM.

Class

ch.nevis.idm.batch.jobs.UpdateUserStateJob

Configuration

FieldRequired?FormatDescription
daysNoActivitytruenumberDays of inactivity before warning. -1 and 0 mean: Do not care about inactive users.
daysNoActivitySinceReactivationfalsenumberDays of inactivity of a reactivated user. After these number of inactivity days, the reactivated user is considered in the automatic deactivation procedure. -1 and 0 are not set, which means that the reactivated users do not get special treatment.
neverLoggedInDaysNoActivityfalsenumberDays of inactivity before warning for users who have never logged in. -1 and 0 mean: Do not care about inactive users.
neverLoggedInGracePeriodfalsenumberDays of inactivity of a user who has never logged in, but already been warned. After these number of inactive days, the user is considered in the automatic deactivation procedure.
considerUsersNeverLoggedIntruebooleanWhen true, the job will also find users, who have never logged in, but were created more than daysNoActivity days ago.
sendWarningtruebooleanWhether or not to send a warning.
sendingMethodfalseStringDescribes a fallback list of different communication methods. The value has to be a subset of those predefined values: None, Print, Email, PDFstore, SMS_SMTP, HTMLemail, PDFemail. Default is Email. When one of the list members is not recognized as a valid sendingMethod, the default Email will be used. The communication event is DeactivationWarning.
daysGracePeriodtruenumberDays of inactivity between warning and disabling the user.
daysStatusDisabledtruenumberDays between disabling and archiving the user (0 means archive all disabled users immediately, -1 means do not touch disabled users).
daysStatusArchivedtruenumberDays between archiving and deletion (0 means delete all archived users immediately, -1 means do not touch archived users).
disableOutdatedUserstruebooleanWhether or not to disable users after validity period.
disableNotYetActiveUsersfalsebooleanWhether or not to disable users before validity period.
excludeUsersfalseStringThe users listed here are protected from the job's actions. The three technical users (bootstrap, batchjob, nevisauth) are always excluded, even if not listed here. Format: 111/222, 112/223 (comma-separated list of <clientExtId>/<userExtId>)
excludeTechnicalUsersfalsenumberDefines whether technical users are excluded from the update process. Default value true.
excludeMainUsersfalsenumberDefines whether main users (users who have deputies) are excluded from the update process. Default value: true.
excludeUnitsfalsenumberList of units to be excluded. Format: comma-separated list of <clientExtId>/<unitExtId> Example: excludeUnits=111/222,112/223 Users who belong to one of these units or one of their subunits, will not be processed. The subunits of the listed units will be automatically excluded too.
excludeRolesfalsenumberComma-separated list of role extIds. Users with one of these roles will not be processed.
restrictToClientsfalseStringFormat: comma-separated list of clientExtIds. If not set, the job will act on all clients. Otherwise, it is restricted to the specified clients.
restrictToUnitsfalseStringList of units to be included. Format: comma-separated list of <clientExtId>/<unitExtId> Example: restrictToUnits=111/222,112/223O Only users who belong to one of these units or one of their subunits will be processed. If the parameter is empty, users from all units will be processed. The subunits of the listed units will be automatically included too.
restrictToEnterpriseRolesfalseStringList of enterprise roles to be included. Format: comma-separated list of <clientExtId>/<enterpriseRoleExtId> Example: restrictToEnterpriseRoles =100/12223,100/1223 Only users which have one or more of the listed enterprise roles will be processed. If the parameter is empty, there will be no filtering by enterprise roles.
changeReasonCodefalsenumberCode of the change reason to be used when the state of a user is changed. If the parameter is set, the stateChangeReasonCd attribute of the user entity will be set to the given code. If the value of the changeReasonCode is invalid (not a number or no change reason exists with the given code), the parameter will be ignored.
note

When a user is in its original state, and the state is DISABLED or ARCHIVED, the job will degrade the user status without checking daysStatusDisabled or daysStatusArchived parameters.

Logging

  • ch.nevis.idm.batch.jobs.UpdateUserStateJob

Example(s)

Disable outdated users

<bean id="updateUserStateJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Degrade status when user is inactive or validity period expired"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateUserStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysNoActivity" value="0"/>
<entry key="considerUsersNeverLoggedIn" value="false"/>
<entry key="sendWarning" value="false"/>
<entry key="daysGracePeriod" value="0"/>
<entry key="daysStatusDisabled" value="-1"/>
<entry key="daysStatusArchived" value="-1"/>
<entry key="disableOutdatedUsers" value="true"/>
<entry key="disableNotYetActiveUsers" value="true"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>

Deprecated inactive user disabling job replacement

<bean id="updateUserStateJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Degrade status when user is inactive or validity period expired"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateUserStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysNoActivity" value="365"/>
<entry key="considerUsersNeverLoggedIn" value="false"/>
<entry key="sendWarning" value="false"/>
<entry key="daysGracePeriod" value="0"/>
<entry key="daysStatusDisabled" value="-1"/>
<entry key="daysStatusArchived" value="-1"/>
<entry key="disableOutdatedUsers" value="false"/>
<entry key="disableNotYetActiveUsers" value="false"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>

Full functionality

<bean id="updateUserStateJob"  class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Degrade status when user is inactive or validity period expired"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateUserStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="daysNoActivity" value="365"/>
<entry key="considerUsersNeverLoggedIn" value="true"/>
<entry key="sendWarning" value="true"/>
<entry key="sendingMethod" value="HTMLemail, Email"/>
<entry key="daysGracePeriod" value="30"/>
<entry key="daysStatusDisabled" value="90"/>
<entry key="daysStatusArchived" value="300"/>
<entry key="disableOutdatedUsers" value="true"/>
<entry key="disableNotYetActiveUsers" value="true"/>
<entry key="excludeUsers" value="100/12345, 100/1002"/>
<entry key="restrictToClients" value="100, 1001"/>
<entry key="excludeTechnicalUsers" value="true" />
<entry key="excludeMainUsers" value="true" />
</map>
</constructor-arg>
</bean>
</property>
</bean>

UpdateCredentialStateJob

This batch job runs the process described below on credentials in an asynchronous way, i.e., independent of any authorization process.

  1. It disables/deletes any expired credentials (referenced as House-keeping from here).
  2. It changes the credentials state according to the policy parameters and Job Configuration.

It can be used for explicitly disabling (all types of) expired credentials and for credential- and policy-specific credential updates. Currently, only OTP card and ticket credentials are processed in this policy-aware manner.

Class

ch.nevis.idm.batch.jobs.UpdateCredentialStateJob

Configuration

Following parameters are not applied to house-keeping, but only to the credential-specific updates.

FieldRequired?FormatDescription
restrictToClientsfalseStringcomma-separated list of clientExtIds. If not set, the job will act on all clients. Otherwise, it is restricted to the specified clients.
enableDoubleRenewOfOTPfalsebooleanIf true: old OTP card is renewed even if there is a new card already. If false: renewal process not triggered if there is a new card already. Default value false.
sendingMethodfalseStringDescribes a fallback list of different communication methods. The value has to be a subset of those predefined values: None, Print, Email, PDFstore, SMS_SMTP, HTMLemail, PDFemail. Default is Email. When one of the list members is not recognized as a valid sendingMethod, the default Email will be used. The communication event is OTPExpirationWarning or TicketExpirationWarning.
credentialTypesfalseStringDefines the credential types which are affected during the processing. Format: comma-separated list of credential type names. If not set, OTP will be used as a fallback. The following restrictions apply. For disabling credentials, the credential types need to have a policy type defined, therefore currently only credential types, except for sending out warnings, the credential types need to have a communication event type defined, therefore currently only the types: OTP, TICKET, CERTIFICATE are supported.
expireActionfalseStringDefines the action taken on expired credentials. Possible values: disable, delete. Note that state change reason code of the disabled credentials will be "Credential changed by batch job". Default value disable.

Logging

  • ch.nevis.idm.batch.jobs.UpdateCredentialStateJob

Example(s)

Disable outdated users

<bean id="updateCredentialStateJob"  class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Update credential state job"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.UpdateCredentialStateJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="restrictToClients" value="100"/>
<entry key="enableDoubleRenewOfOTP" value="true" />
<entry key="sendingMethod" value="HTMLemail, Email"/>
<entry key="credentialTypes" value="OTP, TICKET, CERTIFICATE" />
<entry key="expireAction" value="disable" />
</map>
</constructor-arg>
</bean>
</property>
</bean>

The UpdateCredentialStateJob is supposed to run daily. If run more often, some events could be triggered more than once.

OTP-specific credential updates

When the OTP card policy parameter sendWarningWhenCloseToExpiration is set to true and closeToExpirationThreshold is under run, the job generates an OTPExpirationWarning communication event.

When the OTP card policy renewWhenCloseToExpiration is set to true and closeToExpirationThreshold is under run, the job generates a new OTP card, and the old (but not yet expired) card will act as a fallback until the new card is used.

Ticket and certificate-specific credential updates

When the ticket or the certificate credential policy parameter sendWarningWhenCloseToExpiration is set to true and closeToExpirationThreshold is under run, the job generates a TicketExpirationWarning or CertificateExpirationWarning communication event.

Currently, automatic renewal is not supported for ticket and certificate credentials.

SingleClientDataConsistencyJob

The goal of the SingleClientDataConsistencyJob batch job is to restore data consistency in the single-client mode.

The batch job performs the following actions:

  • In the single-client mode, each application should be assigned to the default client. The job assigns the default client to any application without an assigned client.
  • In the single-client mode, each authorization of a nevisIDM role without global client data room must be assigned to the default client data room. The job adds the default client data room to any authorization of a nevisIDM role that has no global client data room and no client data room assigned. The special roles SelfAdmin and TechUser are not considered in the check.

The SingleClientDataConsistencyJob can only be executed in single-client mode. The execution of the job has no effect in the multi-client mode.

Class

ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob

Logging

  • ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob

Example(s)

<bean id="singleClientDataConsistencyJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Single client data consistency job"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob"/>
<property name="durability" value="true"/>
</bean>

EncryptionFallbackCorrectorJob

The goal of the EncryptionFallbackCorrectorJob batch job is to re-encrypt the credentials and property values originally encrypted with the default encryption key.

caution

This job is only to run once in the maintenance period if the database already has mixed data, and it should be migrated to the new encryption key. Start the script from admin console only.

To run this job, set security.properties.fallback.enabled to false.

Class

ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob

Configuration

FieldRequired?FormatDescription
oldIvfalseStringIV defined for the old encryption, the default value is the setting for the default IV.
oldKeyfalseStringKey defined for the old encryption, the default value is the setting for the default key.
oldPaddingLengthfalsenumberPadding length defined for the old encryption, the default value is the setting for the default key.
oldAlgorithmfalseStringAlgorithm defined for the old encryption, the default value is the setting for the default key.
oldCipherfalseStringCipher defined for the old encryption, the default value is the setting for the default key.
forceUpdatefalsebooleantrue means, that the job should re-encrypt the encrypted value even if the credential or property value currently violates a policy.
updateDatetrueDateDate when the new encryption key was set for the system. This is used to determine if some values were encrypted with the new encryption key, so they will not be re-encrypted as if they were still encrypted with the old key. Format: yyyy-MM-dd'T'HH:mm:ss.SSS'Z'

Logging

  • ch.nevis.idm.batch.jobs.SingleClientDataConsistencyJob
  • ch.nevis.idm.batch.jobs.encryptionconverter.AbstractEncryptionConverter

Example(s)

<bean id="encrpytionFallBackCorrectorJob" class="org.springframework.scheduling.quartz.JobDetailFactoryBean">
<property name="description" value="Upgrade all default encryption entities to new key"/>
<property name="name" value="EncrpytionFallBackCorrectorJob"/>
<property name="group" value="ExportGroup"/>
<property name="jobClass" value="ch.nevis.idm.batch.jobs.EncryptionFallbackCorrectorJob"/>
<property name="durability" value="true"/>
<property name="jobDataMap">
<bean class="org.quartz.JobDataMap">
<constructor-arg>
<map>
<entry key="updateDate" value="2022-08-05T11:50:00.000Z"/>
<entry key="forceUpdate" value="true"/>
</map>
</constructor-arg>
</bean>
</property>
</bean>